C) You calculate 10 addresses that are associated with your xprivkey, but do not do anything to let Core know that you have given these addresses out (eg you never click on "receive" -- or whatever it is called), and change your password. You subsequently receive bitcoin to those 10 addresses. Would you be able to spend those 10 inputs? If so under what mechanism?
I don't think you actually would be able to spend those 10 inputs because Core does not keep keys that it has not marked as used. However, they might actually be spendable from Core because Core should still be tracking transactions related to those addresses. I will have to look at the code.
Edit: It looks like those inputs would be spendable because checking whether a transaction is part of the wallet does not care whether the addresses is used or not.So this means that the xprivkey is not deleted, but is rather disregarded for calculating new addresses (and a new xprivkey used for future receiving/change addresses), correct? This would make more sense verses deleting the xprivkey and saving the used private keys because the wallet size could suddenly explode if thousands of addresses were used with the "old" xprivkey, and might cause issues if you change the password to a cold storage wallet.
If this is not already the case, then I think a prominent warning that a wallet will need to be re-backed up when the wallet's password is changed, as other HD wallet programs do not change the xprivkey when a wallet's password is changed.